fix(aws-lambda): let plugin level proxy take effect on EKS IRSA crede…

…ntial provider (#11551) This PR contains a fix to let aws-lambda plugin-level proxy configuration take effect when fetching IAM credentials in an EKS environment. The EKS IRSA credential provider(aka TokenFileWebIdentityCredentials) will fire a request to AWS STS service when fetching the credential, and the request itself may need to go through the plugin-level proxy configuration. Here we check if a proxy is configured and whether the plugin is running inside the EKS environment with IRSA related configuration provided, then we replace the provider with a new TokenFileWebIdentityCredentials that supports proxy. FTI-5242
Kong · Sep 13, 2023 · c2c8c24 · c2c8c24 · khcp-gha-bot · Sep 13, 2023
1 parent 798911a
commit c2c8c24
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/CHANGELOG/unreleased/kong/11551-1.yaml b/CHANGELOG/unreleased/kong/11551-1.yaml
@@ -0,0 +1,7 @@
+"message": "**AWS-Lambda**: let plugin-level proxy take effect on EKS IRSA credential provider"
+"type": "bugfix"
+"scope": "Plugin"
+"prs":
+- 11551
+"jiras":
+- "FTI-5242"
diff --git a/CHANGELOG/unreleased/kong/11551-2.yaml b/CHANGELOG/unreleased/kong/11551-2.yaml
@@ -0,0 +1,6 @@
+message: "Bumped lua-resty-aws from 1.3.1 to 1.3.2"
+type: dependency
+prs:
+  - 11551
+jiras:
+  - "FTI-5242"
diff --git a/kong-3.5.0-0.rockspec b/kong-3.5.0-0.rockspec
@@ -33,7 +33,7 @@ dependencies = {
   "lua-protobuf == 0.5.0",
   "lua-resty-healthcheck == 1.6.3",
   "lua-messagepack == 0.5.2",
-  "lua-resty-aws == 1.3.1",
+  "lua-resty-aws == 1.3.2",
   "lua-resty-openssl == 0.8.25",
   "lua-resty-counter == 0.2.1",
   "lua-resty-ipmatcher == 0.6.1",

diff --git a/kong/plugins/aws-lambda/handler.lua b/kong/plugins/aws-lambda/handler.lua
@@ -59,13 +59,33 @@ function AWSLambdaHandler:access(conf)
   if not lambda_service then
     local credentials = AWS.config.credentials
     -- Override credential config according to plugin config
+    -- Note that we will not override the credential in AWS
+    -- singleton directly because it may be needed for other
+    -- scenario
     if conf.aws_key then
       local creds = AWS:Credentials {
         accessKeyId = conf.aws_key,
         secretAccessKey = conf.aws_secret,
       }
 
       credentials = creds
+
+    elseif conf.proxy_url
+      -- If plugin config has proxy, then EKS IRSA might
+      -- need it as well, so we need to re-init the AWS
+      -- IRSA credential provider
+      and AWS_GLOBAL_CONFIG.AWS_WEB_IDENTITY_TOKEN_FILE
+      and AWS_GLOBAL_CONFIG.AWS_ROLE_ARN then
+        local creds = AWS:TokenFileWebIdentityCredentials()
+        creds.sts = AWS:STS({
+          region = region,
+          stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints,
+          ssl_verify = false,
+          http_proxy = conf.proxy_url,
+          https_proxy = conf.proxy_url,
+        })
+
+        credentials = creds
     end
 
     -- Assume role based on configuration
@@ -74,6 +94,7 @@ function AWSLambdaHandler:access(conf)
         credentials = credentials,
         region = region,
         stsRegionalEndpoints = AWS_GLOBAL_CONFIG.sts_regional_endpoints,
+        ssl_verify = false,
         http_proxy = conf.proxy_url,
         https_proxy = conf.proxy_url,
       })